SPECIAL/PUB01 use case

From Data Privacy Vocabularies and Controls Community Group

Use Case PUB01 – Public bodies specific requirements

Owner of Use Case

Harald Zwingelberg affiliations: ULD, H2020-project SPECIAL

Description

This use case contains and depicts some legal requirements that are specific to some or all entities governed by public law in comparison to entities governed by private law and private cooperate law. Public entities may have specific rules applicable that mandate them to store, transfer or share personal information based on the applicable public law, e.g. freedom of information acts or the duty to cooperate with other public bodies.

  • public entities
  • event/situation it applies to
    • request to acting entity
      • freedom of information request
      • request for administrative cooperation, which may be mandatory to reply to
      • Public Prosecutor's investigations and requests
      • ...
    • condition met triggering data processing
      • archives: obligation to offer files and data to public archives / open access / public access prior to deletion
      • jurisdiction: in the course of the administrative process some change in the circumstances determining competenceobligation occurs and transfer of the case to another entity is demanded
      • ...
  • actors/entities involved
    • public entity (controller)
    • recipient entity
    • private or public entity requesting information

Requirements

  • Public law demanding certain processing of personal data.
  • Taxonomy connection via Art. 6 (1)e but may be more complex


Related functional requirements

  • Can address specific demands to process (store, retain, transfer) personal data by public entities.

Related non-functional requirements

Requirement conflicts (if any)

Potential conflicts: Usually none. The legal norms often contain a balance between processing and preserving informational self-determination anticipated by the lawmaker or a balancing-test to be performed to resolve arising conflicts with in particular data protection laws.

Requirement similarities (if any)

Potential similarities

Requirement subsets/refinements (if any)

Component(s)

  • List of components and short explanation

Types/classes of data involved

  • List with short explanation

Actors

  • Public entity addressed
  • may have: Public or private entity demanding data

Preconditions

  • Specific legal requirement applicable to public bodies triggers processing of personal data. Triggering event may e.g. be a request by a person under a freedom of information act or the end of the usual retention period triggering planned deletion of files that must by law be offered for transfer to a public archive prior to deletion.


Currently used technologies: Depends on the particular case. As standard use case assume an individual request and an individual response by searching for requested data, evaluation of legal ground to process data followed by the processing asked for denial or thereof. There may be automated data exchanges in place, e.g. in German social security systems there are periodic automated data matchings foreseen to identify social fraud by e.g. obtaining unemployment benefits while already employed again. Example § 52 SGB_II (Book II of the German Social security Act).

Postconditions

  • Decision done on basis of applicable law.
  • Met Decision followed by permitting or refusing data processing.

Normal Flow

  • Trigger:
    • Incomeing request for personal data
    • other trigger such as a condition met
  • decision process to process personal data
  • allow or deny processing

Alternate Flows

Specify potential alternate flows

Evaluation of UC and requirements realisation

(e.g. manual, automatically...)

Retrieved from "https://www.w3.org/community/dpvcg/wiki/index.php?title=SPECIAL/PUB01_use_case&oldid=247"